New build: migrating from Sonicwall
-
Using DMZ mode for the interface pfSense is connected to would probably be easiest. You would end up with dual NAT for devices behind pfSense but that probably won't be an issue.
If you have multiple public IPs you could try to bridge one of them to pfSense directly somehow.
Steve
-
@stephenw10
Only one public IP, AFAIK. Simple Comcast Xfinity cable modem service with roughly 200 Mbps down, 12.5 up. I actually tried setting up the DMZ and failed. I've currently got it connected to one of the wired interfaces on a Unifi Edgeswitch at the moment and have come to terms with a cut over that will take down the network for a day or less.I created new VLANs for my servers, workstations, cameras, IOT devices, HVAC and general wireless clients. I then suddenly realized that I might not have a way to assign wireless clients to a specific VLAN without MAC-based VLAN assignment. As my cameras, IOT devices, HVAC and all other wireless clients will be connected to an Amplifi HD mesh network running in bridge mode, pfSense would have to implement MAC-based VLAN assignment to get them into the right VLANs.
Currently, on the TZ400, I have MAC based address objects for wireless devices and have created address groups for cameras, HVAC, etc. This allows me to assign group specific IP ranges. While not segregated using VLANs, it achieves the same end result. Not sure I can replicate this with pfSense, but that is likely just my lack of knowledge with the system perhaps.
-
MAC based VLAN assignment would be done at the switch or access point not the router/firewall. By the time traffic arrives at pfSense it would already be tagged.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@stephenw10
Thanks for clarifying this. It looks like I will probably need to upgrade my switch from an Edgeswitch 18X to a USW-Pro-48-PoE that I have collecting dust in my office. I believe the larger switch allows for MAC-based filtering... might still be a little while yet before switching to pfSense in that case. -
I have a 4-port Intel NIC arriving next week and it dawned on me that perhaps I could gain some performance and make the overall configuration simpler by using it to segregate networks. I currently have only 2 networks, however: one for servers and workstations and another for all of the wireless stuff (IOT, cameras, HVAC, etc.). My existing Edgeswitch X does have VLAN tagging facilities, just not MAC address based tagging capability. All I want to do is the following:
- Certainly segregate the servers & workstations from anything wireless.
- Have exceptions to this rule for specific devices (currently implemented based on MAC and IP ranges).
I've become very hung up on the wireless client segregation. Since the wireless clients are a smorgasbord of contexts (IOT, cameras, HVAC, etc.) and my WAP (Amplifi HD in bridged mode) does not have any way to segregate traffic itself, I was thinking that VLAN tagging could achieve that. The Amplifi system is a single port connection to the core switch, so there's no way to segregate the contexts on different physical interfaces. I think VLAN tagging is the only way to do this, but I feel like I might be overcomplicating things and am not an expert in networking either.
-
You could just use multiple SSIDs on different VLANs to seperate the wireless clients. That's what most people do. If the AP has that function.
-
It looks like the Amplifi HD does support VLAN tagging, but only if it's running in its normal router mode. Since I'm currently running a Sonicwall router (to be replaced with pfSense), my understanding is that I need to run Amplifi in its bridged mode, so no tagging by the system itself.
I do see that it can still setup additional SSIDs, including one specifically for an IoT network which creates a 192.168.251.x subnet for isolation. It seems that would work for all the wireless clients, but as far as VLAN tagging is concerned, one of my other network appliances would have to do that. I was thinking perhaps one of my Unifi switches may be able to do that? One switch is an Edgeswitch X, which I'm fairly certain would not be able to do that, but I believe the larger 48-port (enterprise grade) unit runs a completely different firmware and can be configured using Unifi Network Controller... it may be able to do some more advanced configuration with regards to VLAN tagging of attached devices. Not sure, though.
-
Hmm aren't those Ubiquity devices? I'm surprised they can't do multiple SSIDs bridged to different VLANs, pretty sure most of their other devices do.
-
My switches are Ubiquity devices and so is the Amplifi HD mesh network system. The switches are enterprise grade, but the Amplifi system is not. So, I guess it's possible that the switches may be able to do some tagging based on SSID, but I don't know. Might be a question worth posing on the UI community forum.
-
That would need to be done at the AP. Nothing beyond that sees the SSID.
